Within a month, security breaches have been reported at 5 major contract research and diagnostic testing organizations. The “highly sophisticated and resourced” nature of the attacks and their timing suggest that contract research and testing companies are recognized as both data-rich and vulnerable.

In response, pharma and biotech companies that partner with these organizations must evolve in their approach to cybersecurity. The massive investment in digital health and digital innovation means that all stakeholders from investigators, sponsors and CROs must work together to take ownership of securing the vast amounts of data generated.

In addition to maintaining their own infrastructure with IT and data security, R&D organizations must gain visibility into the security measures taken by outsourced R&D service providers, the data transferred between them, and a plan for mitigating future risk. This responsibility, once the domain of a company’s IT function, must be shared by all teams within organizations; scientific leadership, operations, legal and finance teams can all help mitigate risks of outsourced R&D services management.

Five key factors make the shared responsibility necessary:

Distributed, networked R&D. R&D studies are increasingly distributed across geographies, across multiple third party providers and subcontractors.

Public awareness. While data disclosure events receive the most attention (because companies must publicly disclose data breaches), there is increased public awareness around other cyberattacks, such as ransomware attacks, phishing, and intellectual property theft.

High dollar amounts of losses incurred following cyberattacks, with increasingly sophisticated and destructive attacks. The NotPetya malware attack of 2018, which affected at least one major pharma company, cost companies over $10 billion.

More oversight. Given the 2013 HIPAA Omnibus Rule, Congress has asked that companies who have suffered data breaches share details around which third-party providers they use and what security measures are in place. Likewise, in Europe, 91 companies have been fined for lapses in data privacy since the GDPR data privacy regulation took effect in May 2018.

Barriers to visibility

Despite the need for increased visibility, managing external R&D projects has traditionally been manual, complex, and opaque. The process often lacks a clear audit trail and a centralized location for information, let alone integration with an organization’s internal systems. In one survey of R&D leaders, 78% of respondents felt at least somewhat challenged to confirm a provider’s commitment to data security and privacy. 79% surveyed said they were concerned about protecting IP when working with external R&D providers.

Technology platforms mitigate risk

Given that outsourced R&D comprises nearly half of R&D budgets, most major biopharmas, as well as an increasing number of emerging biotechs, have adopted the use of R&D services marketplaces, recognizing that failing to do so would put them at a competitive disadvantage. Marketplace platforms make it easier for organizations to assess provider quality, centralize data storage, maintain audit trails, and ensure security and privacy compliance.

One example of a digitized outsourced R&D platform is Science Exchange’s enterprise solution, the only HIPAA-certified R&D services platform. This platform also provides integration with purchasing systems, data warehouse integration, customizable reporting of key metrics, and other offerings tailored to help organizations conduct networked R&D, with transparency, at scale.